Very interesting blog article from Ben Rothke about implementing a DLP solution in five steps:

• Step 1 – Level set
• Step 2 – Show me the data, or at least tell me where it is
• Step 3 – Data classification
• Step 4 – DLP strategy
• Step 5 – Product selection, testing and deployment

Read the full article on his blog.

This has been reported by Alexandre Dulaunoy on Twitter: Google Talk keeps track of your SMS!

Goodiff, a service for automated tracking of semantic changes in web service policies, reported the following change: “When you send and receive SMS messages to or from Google Talk, we collect and maintain information associated with those messages, such as the phone number, the wireless carrier associated with the phone number, the content of the message, and the date and time of the transaction.”

This can lead to potential, involuntary data leak… SMS are too often considered as a secure way to transmit information (like temporary access codes).

Support forums are very popular on the Internet. Some help about any manufacturer or applications can be found for free and, often, performed by very competent people. But, when commercial products are involved), it can be dangerous to post official information coming from the manufacturer or the developer itself…

This is a bad story for an Orange employee. Orange (part of the France Telecom group) is a telecommunications operator (Internet, mobile and IPTV) which distributes the iPhone on the French market. This mobile phone is very popular and a lot of forums are dedicated to it. On one of them, iphonefr.com, an Orange employee was very active under the pseudo “Devax”. This guy was very helpful to the forum community and contributed to help a lot of users to fix issues or to choose the best offers. Of course, he made that for free, outside his work hours.

He was arrested by the Police and accused of disclosing confidential information! Why? He published on his blog the “new” communication rates not yet made publicly available by Orange (but already present on the Intranet).

The question which arise is: Is a document published on a company Intranet classified as non-confidential? Was the document correctly classified?

Here is a copy of an article in a French newspaper: Un salarié de France Telecom mis à pied pour ses indiscrétions sur un blog.

Are you looking for information about DLP (“Data Loss Prevention/Protection“)?
Let’s start with the DLP Toolkit.

“Your kit includes five research reports, an interactive assessment tool, and a library of webcasts, providing direct insights into how your peers are overcoming security challenges on their way to success. Discover the strategies and initiatives that you can implement today to achieve Best-in-Class performance.”

Working as a Security Consultant, I’m always on the road between several customers sites. Some customers allow a limited access from remote locations to perform maintenance tasks or investigations via secure accesses.

I always scare myself how it is easy to send data outside of a security perimeter! But don’t shoot me:

• I’m not trying to steal data nor to send confidential data into the wild Internet;
• I’ve permission to access the data;
• When I need to grab data, they are always sent encrypted (the data itself or the connection).

A good example? When I’m requested to update an open ticket by sending information located on another site. I don’t “hack” the remote site, I’ve always at least one entry points (VPN, SSH tunnels, etc). Once logged on a server or appliance, I simply have to jump on another one. I can use SSH tunnels or any other remote control protocol. There are plenty of tools and ways to access the needed data.

It makes me scary: Once successfully connected on a server, it should be a piece of cake for a “bad guy” to steal data in so many environments! And if it’s so easy, can you imagine from the internal network? What’s your company point of view regarding data leaks? Prevention and awareness are key words!